Bug #28728 server crash with EXPLAIN EXTENDED .. and subqueries
Submitted: 28 May 2007 17:07 Modified: 10 Jun 2007 18:27
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S1 (Critical)
Version:5.0.42, 5.0.44, 5.1.20 OS:Any
Assigned to: Igor Babaev CPU Architecture:Any
Tags: crash, explain, subquery

[28 May 2007 17:07] Shane Bester
Description:
server crashes when using explain extended..
linux + windows version crash. tables must be innodb for this testcase.
5.1.19 didn't crash.

stack trace (trimmed down)

mysqld-debug.exe!Item_field::print
mysqld-debug.exe!st_select_lex::print_order
mysqld-debug.exe!st_select_lex::print
mysqld-debug.exe!st_select_lex_unit::print
mysqld-debug.exe!st_table_list::print
mysqld-debug.exe!print_join
mysqld-debug.exe!st_select_lex::print
mysqld-debug.exe!st_select_lex_unit::print
mysqld-debug.exe!mysql_execute_command
mysqld-debug.exe!mysql_parse
mysqld-debug.exe!dispatch_command
mysqld-debug.exe!do_command
mysqld-debug.exe!handle_one_connection
mysqld-debug.exe!pthread_start
mysqld-debug.exe!_callthreadstart
mysqld-debug.exe!_threadstart
kernel32.dll!FlsSetValue

How to repeat:
drop table if exists t1;
drop table if exists t2;
drop table if exists t3;
create table t1(c1 varchar(100)) engine=innodb;
create table t2(c7 int)engine=innodb;
create table t3(c3 int,c7 int,c4 varchar(200))engine=innodb;
explain extended select * from (select t3.c4,(select c1 from t1 limit 1) as d,count(*) as c from t2,t3 group by t3.c4, d)  as res;

Suggested fix:
.
[28 May 2007 17:09] MySQL Verification Team
full stack trace on 5.0.42, windows

Attachment: bug28728_5.0.42_win_debug.txt (text/plain), 1.68 KiB.

[28 May 2007 17:12] MySQL Verification Team
if release binary doesn't crash, please try debug binary.
[28 May 2007 17:25] MySQL Verification Team
-------------------
smaller testcase:
-------------------

drop table if exists t1;
create table t1(c1 int)engine=innodb;
explain extended select * from (select c1 from t1 group by c1) as d1;
[28 May 2007 18:07] MySQL Verification Team
linux stack trace, 5.0.44BK

Attachment: bug28728_5.0.44_linux_debug.txt (text/plain), 2.67 KiB.

[30 May 2007 16:15] MySQL Verification Team
5.1.20 crashed too
[2 Jun 2007 18:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/27993

ChangeSet@1.2508, 2007-06-02 11:44:16-07:00, igor@olga.mysql.com +3 -0
  Fixed bug #28728: a crash when executing EXPLAIN EXTENDED for a query
  using a derived table over a grouping subselect.
  
  This crash happens only when materialization of the derived tables 
  requires creation of auxiliary temporary table, for example when
  a grouping operation is carried out with usage of a temporary table.
  
  The crash happened because EXPLAIN EXTENDED when printing the query
  expression made an attempt to use the objects created in the mem_root
  of the temporary table which has been already freed by the moment
  when printing is called.
  
  This bug appeared after the method Item_field::print() had been 
  introduced.
[4 Jun 2007 21:21] Bugs System
Pushed into 5.1.20-beta
[4 Jun 2007 21:23] Bugs System
Pushed into 5.0.44
[10 Jun 2007 18:27] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented bugfix in 5.0.44 and 5.1.20 changelogs.